Tuesday, August 25, 2009I hate spam bots. But i hate captcha more.
I posted a message a while back about spam in comments and Django. I don't agree with a lot of the opinions I held at the time, however one point I raised that I believe holds true is that the responsibility for spam provention should be the developers, not the user. In short, I hate and completely disagree with "captcha" style spam protection on forms. As a user I find sometimes, in attempt to make the image in unreadable by a computer that the text is so obscure I find it difficult to read myself. This isn't good enough.
This point holds especially true for the project I am currently working on, which has only a simple email contact form. I do not want a valid, human client to have to tackle entering a captcha image or solving a math problem just o send the company a contact. So I set about reading about ways to catch spam on the server side.
My Solution
The solution that i've come up with marries two fairly old concepts together with some fairly simple logic (the success of this is untested, however I think it should be fairly effective - time will tell.. and i'll keep people posted here)
The two techniques I will be using are: timestamping and honeypots.
So what are they?
Timestamping
The concept of timestamping involves sending a timestamp to the form and storing it in a hidden field, effectively allowing us to know when the form was rendered. This is useful for two reasons:
1) We can check that the user spent a reasonable amount of time filling out hte form. The theory here is that the user is unlikely to instantly post the form, however a spam bot that has scraped the data down will very quickly be able to scrape out the form fields and post the page. So: for example in this current project, my contact form is asking for a name, email, subject and message. A human cant type these into a form in less than say 5-10 seconds, so when the form is submitted i can check the timestamp in the hidden field against the current time and thus reject a submission that is too rapid.
2) We can force the form to expire after say 1 hour, provide the user with a simple message that says something like "sorry, the form has expired.. please try again".
Obviously the too fast time would depend on the size of the form that you are requiring them to fillout.
The secret here also is to NOT redirect to the form page, but to store the form values they have created into session, so that we can provide a link saying click here to re-submit the form, and explaining that the client needs to wait 10 seconds before sending the form.
Honeypots
Honeypots are used to trick spambot engines into telling us they are a spam bot. Basicallly the logic is as follows: a spambot tries to guess the values for the inputs in a form when it submits it. SO: if we use CSS to completely hide a honeypot text field, then the spambot is likely to try and guess a value for that field - then we assume that any submission with a value in that field is a bot, and display a message suggesting as much, if they are not a bot, we allow them to click a button to submit the form - this should in theory prevent a bot successfully submitting the form.
Time will tell how well these two techniques will work together to cut back on spam. If anyone is interested, i could probably tidy up the django code and release it as an app for people to play with...
View Printer Friendly Version
Email Article to Friend
Reader Comments (24)
I was thinking about writing something like this myself (I heard about it somewhere else), so I would be interested in the code. If you could release this as an app that would really be great. Otherwise just a code dump here would be nice as well.
TiNo
Nice post Alex. I have several colleagues who are getting hammered with spambot logins and registrations, about 50 per day. One colleague is going to try geobytes, which will redirect visitors from certain countries to a url of your choice. Id like to send the bots to a black hole of sorts but dont know enough about that to really help at this point. If you have any suggestions please email me directly. Thanks.
Captcha's are one of the greatest inventions of all time. Not only do they prevent all of the useless spam I was getting, they also help translate books that cannot be properly read through OCR.
Just because you throw a bitchfit every time you dislike something, doesn't mean they are a bad thing.
@Mobile Web User: An incredibly informed comment.. well done.
You might want to try reading the article.. placing the responsibility for spam on the user is a stupid idea - i stand by that.
Clever solutions! In my recent spam-killing attempts, CAPTCHA has felt like a necessary evil, but these 2 filters might change my ways (especially since some of the sites I've worked on are beginning to get popular enough for the CAPTCHA-reading bots to take notice). Do you have any word on how effective this has been for you so far?
this is interesting. let me know when it comes out: spam.smith1234@gmail.com
tats interesting but can't the bots be made such tat tey fill the forms in may be a minute or mre????in tat case won't the timestamp idea fail??
I love the honeypot idea, definitely going to give it a go!
I know some people use things like roboform to fill out forms which might also false trigger the time stamp.
I like your site. It’s really simple and cool without no much of put ups. I am also going to design my site simple and nice as yours
Is it not ironice that the post on June 25th 2010 was by a spambot?
Hey Derek. You're quite right. The new site is hosted at squarespace, and their spam protection isn't really all that great. I moderate the comments on the site now and then.. and it keeps it pretty clean, but i missed that one on the 25th (i've killed it now)
I am also going to design my site simple and nice as yours.When you want to know the answer such as pizza cost.How to order pizza online? How to buy papa johns paypal. or order pizza hut paypal. Please tell me.
I really like your website http://soyrex.com, our website as well。coach outletis the market popular longest and most successful leather brand. Especially the coach handbagsand coach bags have a good reputation for quality and exquisite craft in female consumers.
MBT shoes
reebok easy tone
shape ups shoes
P90X
P90X Workout
P90X DVD-Fitness
birkenstock sandals
birkenstock gizeh
birkenstock Madrid
<p>We are a professional supplier of wholesale designer handbags ,wholesale gucci,please feel free to
contact us if you need fashion handbags.
Find all the latest fashion, brown handbag, celebrity gossip and leather handbags!
Different Colors And Sizes Available. </p>
We take pleasure to introduce ourselves as manufacturers and exporters of all kinds of ladies high heel shoes.We are manufacturers and exporters of all kinds of high shoes. We specialize in wedding shoes fitted with Swarovski and imitation diamond
Discount Louis louis vuitton handbags Vuitton Handbags,Wallets & Purse louis vuitton Online Store. In
louis vuitton replica handbags the my lv replica handbags store buy designer handbags cheap Louis louis vuitton handbags Vuitton Handbags, You replica handbags best choice.louis vuitton,louis vuitton handbags,louis vuitton handbag,louis louis
vuitton handbags vuitton bags,louis vuitton bag,louis vuitton wallets,louis vuitton wallet,gucci,gucci wholesale louis vuitton
handbags handbags,gucci handbag,gucci bags,gucci bag,gucci wallets,gucci wallet,prada,prada handbags,prada handbag,prada bags,prada wholesale replica handbags bag,prada wallets,prada wallet,buy prada handbag.
815GSW0715
HD PROVIDENCE
contains interactive features available only on this format. PROVIDENCE DVD
authoring has been an expensive affair, such as PROVIDENCE DVD COLLECTION
.
Bentley GT
have become a trend in fashion circles. It is a beautiful automatic chronograph stainless steel Breitling Aeromarine
. Go to a renowned retail store of Breitling Windrider
and shop to away for your new Bentley 6.75
today.
Hogan
produces great athletic shoes in hogan donna
categories, you can pick Hogan scarpe uomo
along with give it a try. I’m not simply speaking about all skyscraping but Hogan uomo
.
unbelieveble links for kids .casino online|online poker|roulette online|blackjack online|,casinoonline|casino online sicuri</p>|
europa casino | spin palace casino |poker online
Latest insanity workout dvd
Px90
px90 exercise program
workout-px90 Lets you easily fitness
insaity workoutLet you have vigor
cheap insaity workout Let you be stronger
Mbt shoesspecial style
Mbt safiridifferent designs
MBT ChapaPersonality
such a trend welcome to buy!thank you!
Welcome to <A href="http://www.b2bsharing.com/christian-louboutin-shoes-c-4463.html">Christian Louboutin Shoes</A> on-line store! Now an extensive selection of super <A href="http://www.b2bsharing.com/christian-louboutin-shoes-c-4463.html">Fashion Christian Louboutin Shoes</A> with different colors and styles are provided at the most competitive prices. You can buy <A href="http://www.b2bsharing.com/christian-louboutin-shoes-christian-louboutin-pumps-c-4463_4466.html">Christian Louboutin Pumps</A>,<A href="http://www.b2bsharing.com/christian-louboutin-shoes-christian-louboutin-boots-c-4463_4465.html">Christian Louboutin Boots</A>,<A href="http://www.b2bsharing.com/christian-louboutin-shoes-christian-louboutin-sandals-c-4463_4467.html">Christian Louboutin Sandals</A> at our online store. Our goal is to make all of you enjoy the top fashion and become the most charming women with our beautiful shoes.The world's best <A href="http://www.b2bsharing.com/christian-louboutin-shoes-c-4463.html">wholesale Christian Louboutin Shoes</A> website.Buy now!
america's got talent season 5 episode 20
top chef season 7 episode 8
minute to win it season 1 episode 17
ghost hunters international season 3 episode 4
so you think you can dance season 7 episode 21
Not long ago, Tag Heuer cooperated with Porsche Club of America to launch the exact amazing restricted edition Tag Heuer Porsche Club of America which is extremely desirable by the exact view connoisseurs. This new model is issued to celebrate the exact 50 years anniversary of the exact Porsche Club of America. replica victorinox watches It is especially designed for racing with an appearance inspired by the exact Monaco chronograph model made by Mc’Queen in the exact 1970s. It perfectly combines the exact cool colors-red, black and white.
In our BagOnHand which also is fantastic Louis Vuitton online store. you will find discount LV wallets,handbags, bags ,luggage for best deals.It is real eye-opener for newest design to U and latest releases.We offer wholesale cheap price with first grade material.Wonderful combination of letter symbols "Louis Vuitton"(LV) with classical Louis Vuitton monogram pattern and interesting cartoons make LV purses give off new luster and brilliance.The Louis Vuitton purse and handbag, the appearance is very attaticve and elegant .discount handbags It is for easy, Women's Handbags city chic fee,Designer Handbags the "Louis Vuitton"(LV) combines sophisticated comfort and detailing of the handbag and make the handbag perfect for everyday useIt include :Gift Handbag,LV Tag,Care Booklet,women's wallets Dust Bag,Identity Card in Envelope with handbag.
Thank you for sharing such good experience.I also like to write such things in own blog. Our watches are very good!